Malicious PDF — malware analysis report

Static analysis result for SHA-256 a641dc9fb284a562…

MALICIOUS

PDF

63.7 KB Created: 2021-06-26 03:50:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: c8ccbcc60ca004783d1fa20c59fd282b SHA-1: 710a090f7749a6b6af0f27987b83396e0f6b6058 SHA-256: a641dc9fb284a562b17c52f9c90b2f1c68fb4794529e5a531216ff84534f21b1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating it is likely a phishing or malware distribution lure. The file functions as a link farm, with numerous embedded URLs pointing to compromised CMS upload directories and disposable hosting. These links likely lead to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6902

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://refta-bg.com/userfiles/file/pelupubasusigizoseten.pdf In PDF document text
    • http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a4172d6a14---tetapo.pdfIn PDF document text
    • http://osullivanspressurewashing.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ecdbb23855---57631067538.pdfIn PDF document text
    • https://www.physioaktivkramer.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5cdf5a895---82270911367.pdfIn PDF document text
    • https://activepymes.com/pub/file/40498062941.pdfIn PDF document text
    • http://trenermichal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16073670486c20---92455659098.pdfIn PDF document text
    • http://terapie-psi.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608be619e503c---66300631658.pdfIn PDF document text
    • https://motacademy.it/file/wisisod.pdfIn PDF document text
    • https://earthideasawnings.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608efe753f936---12693718051.pdfIn PDF document text
    • https://fieldofgreen.com/wp-content/plugins/super-forms/uploads/php/files/7d70d7ceaa0a15afc350bb78435cdcb2/bavawobemo.pdfIn PDF document text
    • https://nepalaviationmuseum.com/userfiles/files/xegolorujet.pdfIn PDF document text
    • https://avenirpourtous.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160b05e2798a16---xowagenadefotosezilod.pdfIn PDF document text
    • http://alvasari.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a6d7b8a702---53649675825.pdfIn PDF document text
    • https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a2ff4e34f5f---21948198438.pdfIn PDF document text
    • https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/2af07473bbde81393f2b2d739c3c1cfa/sozurozi.pdfIn PDF document text
    • http://www.musicmaestrodiscos.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16084f0601c9d4---28140777892.pdfIn PDF document text
    • https://choiceenergynetwork.com/wp-content/plugins/super-forms/uploads/php/files/06ce75b1f0686becef7297d9d588499b/24175482126.pdfIn PDF document text
    • http://creative-format.com/upload/editor/files/wetarutasukawi.pdfIn PDF document text
    • https://qboardapp.com/wp-content/plugins/super-forms/uploads/php/files/f94abf30da6d5549dfe0cae0ebeaccb8/pelarujafi.pdfIn PDF document text
    • http://mhinflatable.com/upload/file/69324844570.pdfIn PDF document text
    • http://angarakshaksecurity.com/userfiles/file/bubujorenep.pdfIn PDF document text
    • http://marinapogon.pl/upload/file/gukoxufunumowexufuko.pdfIn PDF document text
    • https://ludifrance.fr/userfiles/file/dowotunofixodidabexu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/A3Ryygt5BCM/uplcv?utm_term=bright+and+bushy+tailedPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD9BD 10812 bytes
SHA-256: d0790550ccaebe90629db7565e9acfc77679660531ac323d2ce974eaf30acd36

Open this report in the interactive analyzer, or submit your own file for analysis.